Rafael David Tinoco

icon indicating a website link www.garnet.ai icon indicating an email [email protected]

icon company @garnet-org icon location Canada icon location Jibril Runtime Security @ Garnet | Former Core Dev of Tracee and Ubuntu | Former AquaSec, Canonical, IBM, Linaro, RedHat and Sun Microsystems. Mainframe lover.

Results 235 comments of Rafael David Tinoco

Alert when a program tries to access one of Tracee's maps

On your statement: >This will require some work, and can be done by a future PR. The current idea that I have in mind is to iterate over tracee's maps...

Alert when a program tries to access one of Tracee's maps

> > So my initial statement is more correct in the sense that we can do pretty much everything by probing security_bpf(). Also, if probing security_bpf_map() we would be able...

Alert when a program tries to access one of Tracee's maps

I think it would work. I like it. > If one tries to tamper this new bpf map, let's say, the FIRST call to bpf(BPF_MAP_GET_FD_BY_ID), needed for the tampering, would...

tracee single binary should not load plugin if traced events is not a signature event

@josedonizetti thoughts ?

tracee single binary should not load plugin if traced events is not a signature event

@josedonizetti all yours if and when you have time. Thanks :*.